Slashdot Mirror
88% of IT Admins Would Steal Passwords If Laid Off
narramissic writes "According to identity management firm Cyber-Ark's annual 'Trust, Security & Passwords' survey, a whopping 88% of IT administrators would steal CEO passwords, customer database, research and development plans, financial reports, M&A plans and the company's list of privileged passwords if they were suddenly laid off. The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details and people's personal emails."
Sounds like an unreasonable estimate to me. If people were that vindicative and dishonest then IT (and similar) systems wouldn't ever keep working.
Typically, (at least in companies with some sense) the decision to remove an IT worker is made in advance, with steps taken to drastically reduce that individual's ability to do damage.
Rarely, is an IT worker told about their demise until steps are in place to have someone watch that person pack their belongings, upon which they are escorted to the door. They would be lucky to steal their favorite coffee mug is such cases.
Stupid is the company that gives notice to someone with keys to the kingdom, except in cases where the person is needed to stick around to train their own replacement.
But then, anyone who would agree to do that without MASSIVE compensation, is a pussy.
That said, I do know a guy who kept a series of special GPOs at the ready when he figured he was on his way out of HP back in the day...
TFA was very vauge in how they frame "stealing." When I have left (of my own accord) a job, there is invariably a certain amount of information written in my notebooks when I pakc up my cube that probably contain some user/password items, hostnames, door codes, etc. If you call that "stealing" i'd say the statistic is right.
When I am leaving a job, I'm not actively concerned in making sure every piece of knowledge about my tenure is forgotten and every napkin I may have scribbled something on is returned or destroyed, and every backup I've made is destroyed because I use a lot of the scripts/docs/etc... as part of my new job hiring interview. Conversely, most firms I've worked at haven't changed their admin passwords or door codes when I left, so they don't seem particularly concerned either. (Which may or may not be normative.)
I would say that the time when most IT folks are going out of their way to collect information is if they feel like they're being setup for the fall guy. At my last gig my project lead liked to broadcast the whole group when a server went down (blaming me) so I was maticulous to keep a copy of every log, logon time, email from her, so when I was accused, I could defend myself to our supervisor. If you're being laid off for some straight-up BS; and you're acute enough to see it coming, you better bet I'm going to collect as much as I can to clear my name. Beit to that firm or my new employer should I get a bad reference.
Forgive my spelling from time to time. I'm often posting during short breaks.
When someone is laid of for no apparent reason, they often feel hurt and betrayed. A natural reaction is that the trust between them has already been destroyed.
At one company I was with, a sysadmin was on a conference call, and had his hands full when the call ended. The CEO never hung up the phone, and started talking to his assistant about people loosing their jobs and how much severance would be paid. The sysadmin, who probably should have hung up when he was first able to, couldn't resist listening for a short time. After a couple of minutes, the CEO finally realized that his phone was still on, and hung up the line. By that time, the sysadmin knew that several people would be laid off soon, but not how soon, or which people.
He informed a couple of his friends that the company was in worse shape than he had realized, and discretely began updating his resume. Within a month, the company was bought out and closed down by another company and everyone lost their jobs. He was asked to stay on as part of the transition team and that the new company would pay him, but after a couple of days, it was clear that he had been working for free and the new company was not going to honor the agreement.
At that time, he still had sysadmin access, and began to look through emails of the former employees. Some, including the CEO, were still getting and sending emails through web access through the old company server. He learned that although the board of directors did not want to spend the money to make sure that the fired employees could still have health insurance for a couple of months, they were willing to give the former CEO $25,000 for his efforts.
I have always said that a good sysadmin knows all the secrets of a company, but a great sysadmin knows when not to look. In this case, was the sysadmin justified in looking after he had been promised to be paid and then told he was not being paid? (Yes, his access should have been cut off, but he was the one who would have had to cut himself off and he was never told to do so.)
Although this situation may be unique, I think that many sysadmins may feel the same way. Once they are betrayed, they no longer feel the need to stay loyal to those that betray them.
Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
I've watched three IT admins get escorted out of the building in the past 5 years due to my sending of emails carefully salted with bogus salacious information about our department. If the fake information doesn't make it to a certain vice-president, then their job is safe. If it does, then there's only one person who could have known it (besides me of course), and out the door they go.
This little collateral duty of mine has been quite lucrative - I receive a percentage of whatever money the company saved by firing the dirtbag admins who couldn't keep their noses out of other people's data. And if they were willing to pass on what essentially is inter-office gossip, then who is to say that they wouldn't be just as willing to pass our trade secrets to outsiders?
No mod points, no meta-moderating/Firehose/all the other free work Slashdot wants me to do.
I dunno..
I've worked at some companies that were really strange. In one particular place the CTO had some interesting files in his share. Now I'm a not a prude by any means, but this guys share had some weird sh*t. At least my p0rn is wholesome (yeah yeah, one man's wholesome is another man's bestiality... baaaah and moo to you). It's tough not to notice when the guys fileshare took up close to 80G out of the 100G allocated to the entire company (this was the days before 1TB drives were common).
They guy was also an ass though. When I left I made sure that I held onto the offsite mail spool backup because he wasn't above writing a check and then stopping it at the bank. I still have that backup, btw. Hi Mark.
In every other place though, I could not care any less about what they kept in their mail spool or fileserver. If their raccoon and chihuahua p0rn and watermelon fetish is clogging up the backups I'll send them an automated email telling them to clean up, but that's it. None of my business.
If you are that good as a IT admin (or any other position, for that matter), if you are that good, they will have already done more damage to the company by firing you, that you could do deliberately back to them.
Recruiters estimate that simply by firing one person and hiring another, a company will lose around $120,000 in productivity alone; HR and accounting paperwork to fire that person, redundancy payments for several months in advance, along with recruiters fees to find someone new, time taken by existing employees to interview possible candidates, more HR and accounting paperwork to hire the person if there is a match, and time taken by the new employee to get up to speed. Not even considering that other people may be waiting for various tasks to be completed by the person in that position.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
I agree, accidently deleting a huge database is better. go in, yank 1 cable from the back of the server and plug it back in from one of the power vaults to the Raid 50 and the raid will eat it's self over the course of 2-3 days. Without any admins familiar with it, they will not get the pile of raid failure warnings until most of the DV and files are corrupt. Bonus points if it takes 2-3 weeks and all the backups are corrupted as well.
Impossible to trace or prove anything was intentional, and it screws them good.
There are at least 80 other ways to cause gradual data corruption that without familiar IT staff on hand will grow out of control by the time someone finds it.
Screw stealing passwords or data, just start a chain of unfortunate events.
MY favorite is to make some very restrictive rules in the company firewall and then save it, revert to the old rules right before you're laid off. the date stamp will be from months previous and confuse anyone tromping around in it.
Do not look at laser with remaining good eye.
Making a blanket statement like this only seeks to infuriate the less-informed. I wonder, if the same study was done, for those individuals who hold a security clearance, would the same hold true? ABSOLUTELY NOT! Integrity is one of the big assets you can carry with you in life, and even if you are dealt shit, it doesn't mean you have to compromise your integrity or ethics. The time will come when you perhaps have the ability to even the scales, but do it within the scope of keeping your own respectability and integrity high. All it takes is one random comment to start a ball rolling that will soon destroy you. Then again, if you are just a poser in a job, then you deserve everything that happens to you.
Amen to this. People seem to get all wide-eyed over getting root access and such. Personally, I don't want any more access than is necessary to do my job so I can earn my paycheck and go home. You want to take away some access from me. Fine. Here is how I can do my job with these limits. You decide.
Once when I was brand new in the IT field I found the salary information for the company I was working for. Well, my curiosity got the best of me. It was quite anti-climactic and was probably the event that I need to realize that I really don't care about most of what is out there. 15 years later I'm the IT director of a company with root access to every router, database and server. I didn't care what anyone made. I had years to look at any information in the payroll system or anywhere else and didn't care. On the day that I left (not on the best terms) the guy who took my place called me at home and asked me to fix something on one of the routers that evening. I did using the same password I'd used the day before. I never tried again to see if worked or had been changed. It's been years. I still know it, it may still work and I still don't care.
On a few occasions I was asked by those with authority to do so to examine a some systems to see if there was any evidence of criminal activity. During that time I saw stuff that the system's users might not want me to know and uncovered some unethical (but not illegal) activity. I told those in authority only the information they had asked me for, left the rest of it alone and didn't tell anyone else about it. Again, I don't care. Want me to design your database or set up your server room? OK. Want me to get involved in high school office politics and get me on you office "team?" Stop wasting my time and go hump someone else's leg.
I just want to do job I'm assigned and go home.
Moral issues aside, some companies are so lax in their security policies that they make it easy for those so inclined to take revenge. On my first day at a drug and alcohol rehab place where I used to work, I found a floppy disk (remember those?) in one of my desk drawers with everyone's salary, social security numbers, etc. I turned it in to management with a suggestion they be more careful, but I could just as easily been a dick about it. I found out later that a previous sysadmin had done just that, locking them out of the network when they fired him. You'd think people would learn. Just more proof that you don't have to be particularly smart to be in charge.
Good for you that you don't have a criminal mind.
Snagging the CEO's password isn't about access to the network.
It's about impersonating the CEO.
E.g. Go to some underfunded public library far from your home, install the VPN client from the disk you have laying about at home... whoala... You can send,receive,reply to,and delete email as the CEO. Imagine the damage you could do. Likely the best tactic would be to not "invent" anything, but just forwarded well chosen items from his Sent Items folder to the right (aka wrong) people.
And no I'm not a shady character. It's just good practice to think like the enemy.
Also, I agree the article seems like BS. Just look at the source.
Operator, give me the number for 911!
This happened at my town of about 30k citizens this was before i was their as an intern. The previous person was replaced since she stayed on even after a new person came as head of IT. The other had passed away a few years before this and she was essentially the head of IT. Well the they got a new head of IT my boss and she was replaced as she tried to get out of the job and she deleted all records and she had to be sued to get the passwords. Never mind all our servers were a mess at the time and since then we have fixed everything new servers on vmware new switches as all the stuff was out of date. This is a 3 man team by the way or 5 if you count use interns might as well as we get paid and do the same stuff as the regular guys.
I wouldn't go out of my way to steal the passwords, but I keep the passwords I use in a password database type application. I had copies of that database at home for work-at-home use.
I still have them from my previous employer, and have never used them, but I don't have any intention of getting rid of them either. You never know when they might be useful for non-malicious purposes.
My local export of the Subversion repository (mostly stuff I wrote) is also a useful reference on occasion.
I've been through a couple of layoffs. In one, the company was concerned about stealing, sabotage, and other vindictive behaviours. So they surprised everyone with two week severance packages and an escort out the door one morning. They brought in people at the butt crack of dawn to turn off every computer in the building. Later, "core" people started deserting the company, taking whatever they wanted with them.
In the other one, there was an announcement, something like, "The 20 people in this room are being laid off. Starting in two weeks we're going to lay off 4 people per week for 5 weeks. We expect you all to continue to do your jobs as well as you can *while* you look for work. Let your supervisor know of any scheduled interviews, they will be considered paid time off. As you find work report your start date so each week we can try to lay off people who already have new jobs."
The second layoff went without a hitch. The people laid off kept relations with the company, some came back later.
I know it's not the same as firing someone, but it does seem to me some companies treat laid off employees as if they've been fired.
Samsung took back my unlocked bootloader because Google wants me to rent movies. They're both evil.
The last thing I wanted was to be in a position where someone hacked the systems and I got blamed because I "knew the passwords"....
I even handed over my personal notes on the network and had my boss shred the ones he didn't need before I left.
I can't believe there are that many admins who have that little respect for themselves that they'd be willing to steal passwords.
-merlyn
"The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details and people's personal emails.""
A thought just occurred to me. Remember the Slashdot story awhile back about changing the nature of the information in such a way that only the absolute essentials would be released and it would be in a form that would protect the users privacy? I would think the same relationship would apply to an internal network. The admin would only have access to the essential information in a form that would protect internal privacy AND allow the admin to do his/her work.
As they say "most security threats are from within".
Just take the security of personal freedoms in the USA. Those in charge of the government at this time have stolen much freedom in the double speak name of freedom. Having passwords "stolen" or "remembered off site" is potentially just the same. Much damage could be inflicted upon companies depending on the range access that the admins have that are laid off. Identity theft can occur, etc...
Escorting people out is one way. I've been "let go" a number of times. Usually it's simply two weeks notice and all works out. Other times it's two hours and they have someone watching you the whole time and escorting you out with your two weeks severance. One time it was after I arrived home on a Friday night with a phone call and stuff sent to me via courier. It all depends upon their paranoia factors. Often the reasons are not even told to us. In many ways employees and even contractors and consultants are modern day indentured servants.
Of course finding out that the system admins stole passwords or used them afterwords generally means it was wise for the company to let them go as those kinds of admins are dishonest (maybe more honest than whom they used to work for but still).
Systems really are brittle with many ways to subvert them. Rather than subvert your past employers systems I'd recommend building your own path to financial independence so that you don't need to work for companies that have the power to fire you!
I spent four years working as a school sysadmin--one for an elementary school and three for a high school.
Unhappy with an incompetent and micromanaging elementary-school principal, I interviewed for the sysadmin job at another school. That principal called my principal to facilitate handing me over, and I subsequently received the third degree for being "disrespectful and underhanded", along with "I could say things about you to make sure you never work in the school district again." Said principal then twisted my new principal's arm enough to get me split part-time each between the two schools.
Fortunately, I got a post as the sysadmin for a high school--one full-time job instead of two part-timers.
After two years and two micromanaging, incompetent principals, the principal threatened to not reappoint me for a third year. Among other reasons, he received hearsay that I had applied for another job.
So what did I learn working for a public school district? Four years of long hours and low pay, three supervisors who shouldn't even have been working at McDonald's, and two threats to get rid of me for something legal I did while off the clock.
I didn't sabotage anything, but I could have. Thank God for my personal ethics. And they wonder why they can't hold onto IT staff...
League of Professional System Administrators Code of Ethics. I have a copy hanging on the wall by my desk and I refer to it regularly to keep me honest. Integrity is the biggest asset for any system administrator.